# security headers

# Consider configuring "helmet" option in config.js instead, if applicable.
# Said options will limit the header tags only to pages served by lolisafe service,
# and not the uploaded files that will instead be directly served by nginx.

#add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self'; media-src 'self'; connect-src 'self'; font-src 'self' data: https://fonts.gstatic.com; worker-src 'self' blob:";
add_header Permissions-Policy "accelerometer=(), autoplay=(self), camera=(self), fullscreen=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), picture-in-picture=(self), sync-xhr=(self), usb=(self)";

# . files
location ~ /\.(?!well-known) {
    deny all;
}